CVE-2014-0160 aka the HeartBleed bug (Wavelink)

Version 11

    Summary

    Wavelink is aware of the vulnerability inside of OpenSSL and we are currently in the process of investigating it. We will update this document with further information as we have it.  We appreciate your patience.

    As updates are available, including any additional information about how this vulnerability affects Wavelink products and progress for any updates or patches, it will be added to this document.

     

    What is this vulnerability?

    There is a bug in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

    From CVE: "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."

     

    For more information, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 and http://heartbleed.com/

     

    How does this affect Wavelink?

     

    Affected Product(s)

     

    TE for Android: No, (See Reason)

    While our product is not vulnerable, it is currently believed that Android Jellybean version 4.1.1 isvulnerable to Heartbleed. Customers impacted should be directed to contact device manufacturers for an OS update and or patch.

    Based on guidance from the OpenSSL Projects security Advisory, MSI has developed a code patch to remove and secure the above effected products. The patch along with installation instructions is available for download at,

     

    Motorola:

    MC40 MC67 ET1 - HeartBleed Security Vulnerability in Android JB 4.1.1 device - SPR25574

    .

     

     

     

    Connect Pro: Yes, only newer versions that were not available on the web site

    Only newer versions that are not generally available on the web site are vulnerable:

    Version 4.5.004 uses OpenSSL 1.0.1e. “OpenSSL 1.0.1 to 1.0.1f are affected.” - This version was not generally released.

    Version 4.5.003 uses OpenSSL 1.0.1c. “OpenSSL 1.0.1 to 1.0.1f are affected.” - This version was not generally released.

    All prior versions have older versions of OpenSSL and are not affected. Current released versions on the web site do not have the vulnerability.

     

    Velocity Server:

    Velocity Server version 1.1.012 supports OpenSSL v1.0.1g

    Velocity Server version 1.1.011 and previous versions are susceptible to heartbleed.

     

    Velocity for Android: No, (See Reason)

    While our product is not vulnerable, it is currently believed that Android Jellybean version 4.1.1 are vulnerable to Heartbleed. Customers impacted should be directed to contact device manufacturers for an OS update.

     

    Non-Affected Product(s):

    Wavelink Avalanche and Avalanche on Demand (AOD)

    Wavelink TE Windows

    Wavelink TE CE

    Wavelink TE IOS

    Wavelink Emulation License Server

    Wavelink Enablers CE & Windows

    Wavelink Velocity CE

    Wavelink Studio Server

    Wavelink Studio (Client Side)

    Wavelink Remote Control

    Wavelink Speakeasy